Maryland Testing E-Voting System That Lets People Verify Their Votes Counted
from the experimenting-away dept
For many years, David Chaum has been pushing for a voting system that he claims will be a lot more reliable. Basically, after you vote, you get a coded number, and then after the election, you can go to an election website, punch in your code and make sure that your vote counted, and was for whom you meant to vote. On top of this, there’s a system for auditors to check to make sure that votes were counted accurately, with information released publicly so people can “audit” the election without being able to connect voters to their votes. This system tends to generate a lot of controversy (though some of it appears to be from people who just don’t like David Chaum, rather than because they really have a problem with his system). However, the system hasn’t been really tested in an actual US election… until now. The municipal elections in Takoma Park, Maryland used the system, despite the state recently signing a big deal with Diebold. It’s not clear how the overall election went yet — or how many people actually checked their votes online (approximately 30% in an exit poll said they copied down the code). However, it’s good to see that some gov’ts are not just accepting what the big e-voting firms give them, and are willing to explore more sophisticated voting systems that aren’t based on pure faith in the e-voting company to get the system right.
Filed Under: accuracy, david chaum, maryland, takoma park, voting
Comments on “Maryland Testing E-Voting System That Lets People Verify Their Votes Counted”
Questions
I wonder how they deal with the issue of vote selling. That’s always been a problem with “receipt” type systems because it allows the voter to later prove to a someone else how they voted in order to collect a payment.
The other problem is that someone could also pressure or even force someone to prove how they voted. With the secret ballot system that isn’t possible, but with a receipt system it is.
Do they have answers to these problems or are they just ignoring them? I didn’t see them mentioned in the article.
Re: Questions
“I wonder how they deal with the issue of vote selling”
Exactly my question too. If not the system is useless.
Geeks always focus on the technical aspects (me too), and of course open source is important if you are going to use electronic voting at all. But in the end this boils down to a trust issue. Can your 80 year old neighbour lady understand how the counting is done? If not, can she still trust the system?
Re: Re: Questions
“After making their choices, voters use a form to write down the serial number that is printed on their ballot as well as the three-digit codes inside the ovals they’ve chosen. The codes are generated cryptographically and are different on every ballot to prevent someone from deciphering the voter’s choices and engaging in vote-buying.
When polls close, voters can go to the election office website, type in their ballot serial number and see a rendition of a ballot, showing the three-digit codes for their votes. This way voters can be assured that their ballot was included in the final tally.”
So what the website shows is the code, not what was voted for, and the codes are different for each ballot. Which means vote buying is prevented.
Also the serial number is in no way associated with an individual voter (except through the receipt) so it would be impossible to determine the identity of a voter from the ballot. Now if you have the ballot and a copy of their receipt it’s a different story.
Re: Re: Re: Questions
After making their choices, voters use a form to write down the serial number that is printed on their ballot as well as the three-digit codes inside the ovals they’ve chosen. The codes are generated cryptographically and are different on every ballot to prevent someone from deciphering the voter’s choices and engaging in vote-buying.
You know, I don’t remember seeing that part in the article earlier. Has it been “updated”? But anyway, in that case the receipt is also not very useful to the voter either because the system doesn’t tell them which candidate their vote is being counted for. So why bother?
Re: Questions
In the story they also say that each ballot has a serial number on it. It doesn’t seem like it would be too hard for an observer to correlate a voter with the serial number on the ballot given him or her and determine how they voted.
Re: Re: Questions
Paper punch ballots also have a serial number, so your argument would stand with ALL voting.
Re: Re: Re: Questions
Paper punch ballots also have a serial number, so your argument would stand with ALL voting.
Mine never have. Where have you been voting that they have?
Re: Questions
Precisely correct — this system enables vote selling, therefore it must be discarded immediately. This is a novice-grade error in the design of voting systems, which means that the people developing/using this system are far too inexperienced to be permitted anywhere near an election.
Re: Re: Questions
Wait…
Go back and reread the article again. You missed something. The online part only has a code for a particular vote, not the specific option the person picked. It either matches with the code the voter wrote down, or it doesn’t. Again, for comprehension: It does NOT specify option the voter selected, therefore it does not support vote buying.
Re: Re: Re: Questions
Great. Then it doesn’t support verification, either.
It’s impossible to have this both ways simultaneously, based on basic information theory principles — it doesn’t matter how it’s implemented. Now…it might be more difficult to recover that information, depending on the implementation, or it might be that some information is deliberately withheld, again, depending on the implementation, but you can’t achieve both goals (that is: voter verification and anonymity) simultaneously, because you can’t “have” and “not have” the same data simultaneously.
As a side point, and without looking at the algorithms they’re using, this is just an observation for further study: any number of very interesting studies lately have shown that anonymized data often isn’t very. I’m thinking of the NetFlix data, for example. What happens when (not if) the raw data gets disclosed? Is what’s in there sufficient to allow de-anonymization?
And yes, it very much is “when”. Someone will lose a CD or misplace a USB stick or have a laptop stolen. It’s guaranteed. So the time to think about what the consequences are is now, not afterwards when everyone’s wringing their hands and saying “No one could have foreseen….” and “We have no evidence that the data…”
and all the other things that they always say to cover up their lack of vision and foresight.
Re: Re: Re:2 Questions
It does support verification, go back and read the article again and pay careful attention to the pictures. The special pen used to mark your vote uncovers a code for each item you voted for. So basically to verify your vote you record the serial # and the code uncovered when you entered your vote. In the wired article, the first pic shows “JW” where the person selected the item to vote for and the 2nd pic shows a person entering serial # and being show the “JW” code. In reality, I’m guessing each ballot will be different and thus while you can verify your vote is recorded as you filled it out. It also prevents anyone from verifying who you voted for as that code could be for any candidate.
Re: Re: Re:3 Questions
It does support verification,
Umm, apparently not.
go back and read the article again
ditto
The special pen used to mark your vote uncovers a code for each item you voted for. So basically to verify your vote you record the serial # and the code uncovered when you entered your vote.
Each ballot is also different, so a JW vote on your ballot would be different than a JW vote on someone else’s. There is no verification that JW on your ballot is counted towards the candidates you actually wanted.
Re: Questions (proposed answers)
Good points. However, I still am highly in favor of a system that provides verification. There is a long and time-honored history of screwing around with elections through any means possible. No solution is perfect, but I lean toward systems which provide fewer intermediary steps (and the resulting attack vectors).
It sounds like they just need one more step, similar to that implemented by TrueCrypt encryption. TrueCrypt provides a way for someone to “reveal” low-value data while keeping the real data encrypted in such a way that there is no possible way for the attacker to even prove it exists. (You have to understand some things about encryption to understand how this is possible, but it really does work.)
Perhaps they could just provide a “practice vote” button and clearly warn voters that this will in every way look/act like a real vote and a receipt will be issued, but it will not actually count in the election. Anyone being threatened will figure out the usefulness of “practice voting” pretty quickly.
A variant of this would be to only issue one receipt, even if a practice vote was cast in addition to the real vote. However, as part of the practice vote, have the user enter their own code. Unless that code is entered (and the “user code, if applicable” field would always be displayed on the confirmation web page), only the practice vote result would be displayed with no indication that it is a practice vote or that a real vote result also exists. This way, no one could be shaken down after they voted to see if they had more than one receipt.
Re: Re: Questions (proposed answers)
This way, no one could be shaken down after they voted to see if they had more than one receipt.
Sure they could. All the vote buyer has to do is instruct the voter as to how to cast their “practice” vote in addition to their counted vote. Afterward, the buyer simply has to require the voter to reveal both votes to prove that they voted as instructed.
Not as simple as you thought, huh? That’s why no one has yet figured out how to make a receipt system also a secret system. The two goals are diametrically opposed.
Re: Questions
Another problem with a receipt system like this is that it allows a voter to claim to have proof that their vote was recorded incorrectly whether it is was or not.
For example, all a supporter of a long shot candidate has to do is purposely vote for a different candidate and then use his or her receipt as “proof” of a rigged election to get the election results invalidated.
Open Source Anyone?
I still think the idea of Open Source code development is going to be essential to the success of e-voting, and I also believe that in our modern connected society electronic vote collection is going to be absolutely necessary. I have not previously considered the idea of “Paid” voting that was mentioned in the previous post, but some type of confirmation would be a good security feature to prevent data tampering. I guess that is why I like Open Source so much, you don’t have to depend on a small group of developers to brainstorm the possibilities to test against.
Re: Open Source Anyone?
I still think the idea of Open Source code development is going to be essential to the success of e-voting, and I also believe that in our modern connected society electronic vote collection is going to be absolutely necessary.
As I’ve pointed out previously, while of course open source is a mandatory requirement for voting systems, it’s not sufficient — in fact, it’s not even close.
Go read Bruce Schneier’s 2004 essay on what it would cost to steal an election. Then adjust appropriately for the political and financial climate of 2010. Then realize that there is easily enough money in play to pay for custom hardware — that is, wafer fab. And anyone who has mastered even first principles of security knows that what’s in the code doesn’t matter if the hardware has been gamed.
It is exceedingly foolish to deploy or advocate electronic voting systems given this reality. We would be far better served by using the simplest available methods (e.g., pencil and paper) as those are far more difficult to attack en masse. Given the infrequency of our elections, it is really quite unimportant if result compilation takes a week or two.
On a related subject go watch HBO’s Hacking Democracy (available on a torrent near you) and see how Diebold promised and delivered the elections on a silver plate to war-criminal-retarded-chimp Dubya.
You’d think all involved parties would be interested in having accurate vote counting. In the land of the sheep, home of the lame? Think again.
Ditto on the vote selling thing (or worst, forcing someone to vote your way). Here, we use the old-fashioned secret paper vote and vote selling is done in the way of taking your id card and impersonating you when voting… which is kind of difficult to accomplish. With a receipt, it’s way easier to force you.
Re: Re:
Only if you’re a water-bellied, weak willed sheep.
Here's the solution
Such measures are far too complicated. The solution is simple. The voting machine issues a paper copy of the vote when it is cast. The voter reviews this copy and must place it in a sealed collection box prior to leaving the polling place. Cell phones or other photographic devices are not allowed in the polling place.
Some measure would have to be made for ballots where someone disputed that the machine voted the way they expected, but a well designed machine shouldn’t have problems with this, and the paper ballots could be utilized as an audit trail if the electronic results are in question.
Re: Here's the solution
Disputes? Bar code on the printed receipt that allows the ballot to be nullified and the voter can go and correct their ballot. The bar code should be removed and destroyed before the voter leaves.
Re: Here's the solution
Such measures are far too complicated. The solution is simple. The voting machine issues a paper copy of the vote when it is cast. The voter reviews this copy and must place it in a sealed collection box prior to leaving the polling place.
This system uses *paper* ballots. How would it help to make a paper copy of a paper ballot? You didn’t read the article, did you?
Here's the solution
So your solution is to have “some measure” as part of a “well designed machine”? Forgive my flagging confidence.
The system as proposed enables no more vote-selling than do portable cameras (or pork barrel spending, for that matter). Seriously, being able to verify that your vote was cast the way you wanted means the system “must be discarded immediately”? I’m happy to hold voting systems to a high ideal standard, but they only need to be so good before they’re better than what’s currently in use. Good on Takoma Park for preferring an provably unhackable system (ie, mathematically impossible to both correctly report everyone’s ballots and falsely report the total vote) over the proven insecure Diebold system.
Re: Here's the solution
It’s a bad solution to the wrong problem.
It is not necessary that voters verify their votes: presumably, having cast them, they KNOW how they cast them.
It is necessary, however, that everyone else be able to verify that votes are not altered and that they’re counted properly. This is a different design problem, but one that has to be solved in order for us to verify that elections are conducted properly.
And the problem is that any solution to the first — which actually allows voters to in any way verify their specific ballot choices after the fact — enables vote-selling, bribery, and extortion. And of course without that, it’s really quite meaningless to provide any verification, e.g. “Your ballot was counted” does not tell the voter that their ballot was counted correctly, although I’m sure many ignorant people will foolishly presume it does.
However, as a society, we require a solution to the second. Moreover, we require a solution that preserves anonymity and that works even when individual voters don’t care to participate in it. Beyond that, it has to work in spite of hardware and software failure, operator incompetence, and voter incompetence. And beyond that, it has to work in the presence of very sophisticated. well-funded attacks (see Schneier’s article, again, which is required reading for anyone commenting on voting machines).
And nobody is even remotely close to that. Merely “better than what we already have” is simply not good enough, because “what we already have” is pathetic. And democracy is far too important to allow the franchise to be used as a alpha test site for electronic voting.
The only correct approach to this is to use paper/pencil methods UNTIL someone manages to solve all of these problems simultaneously AND demonstrate the ability to fend off a multi-year, multi-hundred-million dollar attack. Because that’s the threat, and it’s incredibly foolish to merely wish it away because it’s a hard threat to counter.
Re: Re: Here's the solution
I agree on several of your points, but I think you missed a few key points about this solution. It does preserve anonymity AND allows individual verification (and mass verification). It allows you to verify that your vote is counted correctly in the total. The only caveat is you have to put faith both in the independent auditors and in the fact that the software who’s source you can see and verify is in fact running on those machines and on the servers.
To steal an election with this system is more complex than pencil and paper, aside from bribing/switching the groups people counting the votes (auditors) you also have to somehow steal the votes in the first place, through complex replacement of the software.
Re: Re: Re: Here's the solution
The only caveat is you have to put faith both in the independent auditors and in the fact that the software who’s source you can see and verify is in fact running on those machines and on the servers.
Right. And what I’m telling you is that even if you personally verify the software (presuming that you have the relevant skillset, the tools, and the time) that is NOT a guarantee that the software is going to do what you think it does — because you haven’t verified the hardware.
This is why I keep referencing Schneier’s critical essay and find myself increasingly frustrated with people who haven’t read it and grasped the implications. People are simply not coming to grips with the budget available to attackers and thus with the scope/scale of the attacks they can mount. So even optimistically presuming that the software is perfect (and anyone with the slightest clue knows it’s not and has no prospects of being so anytime soon), there’s no reason to believe it’s executing correctly.
Here’s the URL for Schneier’s essay:
http://www.schneier.com/crypto-gram-0404.html#4
He wrote that in 2004. I think his estimate should conservatively be revised upward by a factor of 5, given the changes in economic conditions, political climate, etc. So anyone deploying systems such as these MUST be prepared to engineer against attackers with half-billion dollar budgets. Which means gate-level attacks. Which is exactly what I’d be doing were I the attacker, ignoring all the blathering about software, since I would know that in the end it will execute on my hardware.
There is no place for “faith” anywhere in these system or this process. Faith is for fools.
Re: Re: Re:2 Here's the solution
I guess what I’m arguing is that there are more hurdles to overcome in stealing the election with this system than there are in the pencil/paper system.
I’ve perused Schneier’s essay, and I disagree with some major parts of it (a candidate still has to run a legitimate campaign to even fake a victory, and the money has to come from and go to somewhere, so there’s a lot of hurdles to prevent just bam, campaign budget = steal election budget) – I don’t think it’s relevant.
Whether the money is there to steal that specific election or not, the best we can do is the best we can do. I don’t see how pencil and paper provides a greater level of public scrutiny than this open system?
Re: Re: Re: Here's the solution
It allows you to verify that your vote is counted correctly in the total.
Not according to the article. It only allows you to verify that you ballot was supposedly read. It tells you nothing about how it was counted.
Re: Here's the solution
The system as proposed enables no more vote-selling than do portable cameras…
So, with a portable camera how do you prove that the ballot you took a picture of is the same one you dropped in the box?
It would nice if some of you at least thought about the problem a little bit before pronouncing your supposed solution.
I think that paper ballots are the way, with some sort of easy procedure for counting (rfid, bar codes, whatever), and some sort of electronic measure for pre-counting. IE, having your electronic vote emit a receipt you have to review and put in a ballot thingie. That way, you can know the results beforehand and have some sort of manual recount that ensures fairness.
It does not allow vote selling
The system provides the voter only with a 2 digit code, that they verify matches up with the 2 digit code that got counted. That code is unique to the voter, and not easily identifiable as a candidate.
The problem with that is of course how do you know your 2 digit code did go to your candidate, which is where the independent auditor part comes in.
It really is a pretty well thought out system, taking a lot of human error and laziness into account in its design. I really think the actual use of this system is the most promising news on voting I’ve heard in the last 10 years
Another view
Dr. Chaum has been working with using cryptology in the voting industry for many years. Although some of you have found fault with David’s solution for various reasons, the great news is that a voting jurisdiction has taken the lead to try something new. Rather then retreat to “Is it certified?” or “how many other jurisdiction are using it?”, Maryland should be congratulated that it has the guts to try something new.
Open source is an element for future voting systems. But it requires a mechanism in place to ensure that the open source code reviewed is exactly the same code that is on the devices.
Selling votes is very very easy. I request an absentee ballet to be sent to me at home. In the evening I go to the Do Drop Inn and hold up my ballot. Let the auction begin. At work my boss calls me in to his office. Steve we have to let some people go soon. But if you let me help fill out your ballet, I may find a way to keep you on the payroll?. Of course this never ever happens!!!
Much of the source for the voting disenfranchisement is the result of a Catch 22 design of the 2002 and 2005 Election Assistance Commission Voluntary Voting Guidelines. The testing requirements were created to certify existing (or near term) technologies. Virtually no room in the requirements to create and innovate with technologies that come on line over the past 5 years.
The good news is the 2007 Voluntary Voting Guidelines ( http://www.eac.gov/vvsg ) does include a new classification named Innovative?. The guidelines will become more dynamic and can be changed to accommodate new technologies and ideas.
Of course you are free to complain or you could dive in and create new ways of moving the voting industry forward.
Re: Another view
Rather then retreat to “Is it certified?” or “how many other jurisdiction are using it?”, Maryland should be congratulated that it has the guts to try something new.
I don’t think so. This is the real world, not somebody’s testbench. Should experimentation be done? Sure. Should it be done when real elections are involved? Absolutely not.
Re: Another view
Selling votes is very very easy. I request an absentee ballet to be sent to me at home.
That’s also a problem with absentee ballots. But why make it worse? That’s kind of like saying “Well, people are killing each other anyway, so let’s just go ahead and let them”. That’s *not* the solution.